Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-22818 (GCVE-0-2022-22818)
Vulnerability from cvelistv5 – Published: 2022-02-03 00:00 – Updated: 2024-08-03 03:21
VLAI?
EPSS
Summary
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"name": "FEDORA-2022-e7fd530688",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"name": "DSA-5254",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5254"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-15T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"name": "FEDORA-2022-e7fd530688",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"name": "DSA-5254",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5254"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-22818",
"datePublished": "2022-02-03T00:00:00.000Z",
"dateReserved": "2022-01-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:21:49.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22818
Vulnerability from fstec - Published: 01.02.2022
VLAI Severity ?
Title
Уязвимость фреймворка для веб-приложений Django, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга
Description
Уязвимость фреймворка для веб-приложений Django связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, дейстующему удаленно, провести атаку межсайтового скриптинга
Severity ?
Vendor
ООО «РусБИТех-Астра», ООО «Ред Софт», Django Software Foundation, АО "НППКТ"
Software Name
Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), РЕД ОС (запись в едином реестре российских программ №3751), Django, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
1.6 «Смоленск» (Astra Linux Special Edition), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), от 2.2 до 2.2.27 (Django), от 3.2 до 3.2.12 (Django), от 4.0 до 4.0.2 (Django), 4.7 (Astra Linux Special Edition), до 2.8 (ОСОН ОСнова Оnyx)
Possible Mitigations
Использование рекомендаций:
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для Django:
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
Для ОС Astra Linux:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16
Для ОС Astra Linux Special Edition 1.7:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD
Для ОС Astra Linux Special Edition 4.7 для архитектуры ARM:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения python-django до версии 2:2.2.28-1~deb11u1
Для Astra Linux Special Edition для «Эльбрус» 8.1 «Ленинград»:
обновить пакет python-django до 1:1.10.7-2+deb9u17 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se81-bulletin-20230315SE81
Reference
https://redos.red-soft.ru/support/secure/
https://www.cybersecurity-help.cz/vdb/SB2022020110
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.8/
https://wiki.astralinux.ru/astra-linux-se81-bulletin-20230315SE81
CWE
CWE-79
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Django Software Foundation, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), \u043e\u0442 2.2 \u0434\u043e 2.2.27 (Django), \u043e\u0442 3.2 \u0434\u043e 3.2.12 (Django), \u043e\u0442 4.0 \u0434\u043e 4.0.2 (Django), 4.7 (Astra Linux Special Edition), \u0434\u043e 2.8 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f Django:\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f python-django \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2:2.2.28-1~deb11u1\n\n\u0414\u043b\u044f Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 python-django \u0434\u043e 1:1.10.7-2+deb9u17 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se81-bulletin-20230315SE81",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "01.02.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.02.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-00584",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-22818",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Django, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.8 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 \u0434\u043b\u044f \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Django, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u0435\u0441\u0442\u0438 \u0430\u0442\u0430\u043a\u0443 \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0430",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 \u0434\u043b\u044f \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Django \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u0435\u0441\u0442\u0438 \u0430\u0442\u0430\u043a\u0443 \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0430",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://redos.red-soft.ru/support/secure/\nhttps://www.cybersecurity-help.cz/vdb/SB2022020110\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20220829SE16\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.8/\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20230315SE81",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,1)"
}
PYSEC-2022-19
Vulnerability from pysec - Published: 2022-02-03 02:15 - Updated: 2022-02-03 06:35
VLAI?
Details
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Impacted products
| Name | purl | django | pkg:pypi/django |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django",
"purl": "pkg:pypi/django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.2.27"
},
{
"introduced": "3.2"
},
{
"fixed": "3.2.12"
},
{
"introduced": "4.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2",
"2.2.1",
"2.2.10",
"2.2.11",
"2.2.12",
"2.2.13",
"2.2.14",
"2.2.15",
"2.2.16",
"2.2.17",
"2.2.18",
"2.2.19",
"2.2.2",
"2.2.20",
"2.2.21",
"2.2.22",
"2.2.23",
"2.2.24",
"2.2.25",
"2.2.26",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.2.8",
"2.2.9",
"3.2",
"3.2.1",
"3.2.10",
"3.2.11",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.2.6",
"3.2.7",
"3.2.8",
"3.2.9",
"4.0",
"4.0.1"
]
}
],
"aliases": [
"CVE-2022-22818",
"GHSA-95rw-fx8r-36v6"
],
"details": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"id": "PYSEC-2022-19",
"modified": "2022-02-03T06:35:22.988491Z",
"published": "2022-02-03T02:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"type": "ARTICLE",
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-95rw-fx8r-36v6"
}
]
}
bit-django-2022-22818
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:53
Modified
2025-04-03 14:40
Summary
Details
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "django",
"purl": "pkg:bitnami/django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.27"
},
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.12"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-22818"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"id": "BIT-django-2022-22818",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:53:28.699Z",
"references": [
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5254"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22818"
}
],
"schema_version": "1.5.0"
}
GHSA-95RW-FX8R-36V6
Vulnerability from github – Published: 2022-02-04 00:00 – Updated: 2024-09-20 15:35
VLAI?
Summary
Cross-site Scripting in Django
Details
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "2.2.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22818"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T16:10:27Z",
"nvd_published_at": "2022-02-03T02:15:00Z",
"severity": "MODERATE"
},
"details": "The `{% debug %}` template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"id": "GHSA-95rw-fx8r-36v6",
"modified": "2024-09-20T15:35:34Z",
"published": "2022-02-04T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22818"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.0/releases/security"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-95rw-fx8r-36v6"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-19.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220221-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5254"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cross-site Scripting in Django"
}
CNVD-2022-31853
Vulnerability from cnvd - Published: 2022-04-24
VLAI Severity ?
Title
Django跨站脚本漏洞(CNVD-2022-31853)
Description
Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。
Django中存在跨站脚本漏洞,该漏洞源于产品的{\% debug \%}模版标签不能正确的编码上下文数据。攻击者可通过该漏洞执行客户端代码。
Severity
中
Patch Name
Django跨站脚本漏洞(CNVD-2022-31853)的补丁
Patch Description
Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。
Django中存在跨站脚本漏洞,该漏洞源于产品的{\% debug \%}模版标签不能正确的编码上下文数据。攻击者可通过该漏洞执行客户端代码。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://docs.djangoproject.com
Reference
https://docs.djangoproject.com/en/4.0/releases/security/
Impacted products
| Name | ['Django Django >=2.2,<2.2.27', 'Django Django >=3.2,<3.2.12', 'Django Django >=4.0,<4.0.2'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-22818",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-22818"
}
},
"description": "Django\u662fDjango\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8ePython\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\u8be5\u6846\u67b6\u5305\u62ec\u9762\u5411\u5bf9\u8c61\u7684\u6620\u5c04\u5668\u3001\u89c6\u56fe\u7cfb\u7edf\u3001\u6a21\u677f\u7cfb\u7edf\u7b49\u3002\n\nDjango\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684{\\% debug \\%}\u6a21\u7248\u6807\u7b7e\u4e0d\u80fd\u6b63\u786e\u7684\u7f16\u7801\u4e0a\u4e0b\u6587\u6570\u636e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://docs.djangoproject.com",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-31853",
"openTime": "2022-04-24",
"patchDescription": "Django\u662fDjango\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8ePython\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\u8be5\u6846\u67b6\u5305\u62ec\u9762\u5411\u5bf9\u8c61\u7684\u6620\u5c04\u5668\u3001\u89c6\u56fe\u7cfb\u7edf\u3001\u6a21\u677f\u7cfb\u7edf\u7b49\u3002\r\n\r\nDjango\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684{\\% debug \\%}\u6a21\u7248\u6807\u7b7e\u4e0d\u80fd\u6b63\u786e\u7684\u7f16\u7801\u4e0a\u4e0b\u6587\u6570\u636e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Django\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-31853\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Django Django \u003e=2.2\uff0c\u003c2.2.27",
"Django Django \u003e=3.2\uff0c\u003c3.2.12",
"Django Django \u003e=4.0\uff0c\u003c4.0.2"
]
},
"referenceLink": "https://docs.djangoproject.com/en/4.0/releases/security/",
"serverity": "\u4e2d",
"submitTime": "2022-02-10",
"title": "Django\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-31853\uff09"
}
GSD-2022-22818
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-22818",
"description": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"id": "GSD-2022-22818",
"references": [
"https://www.suse.com/security/cve/CVE-2022-22818.html",
"https://ubuntu.com/security/CVE-2022-22818",
"https://advisories.mageia.org/CVE-2022-22818.html",
"https://access.redhat.com/errata/RHSA-2022:5498",
"https://www.debian.org/security/2022/dsa-5254",
"https://access.redhat.com/errata/RHSA-2022:8506",
"https://access.redhat.com/errata/RHSA-2022:8853",
"https://access.redhat.com/errata/RHSA-2022:8872",
"https://security.archlinux.org/CVE-2022-22818"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-22818"
],
"details": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.",
"id": "GSD-2022-22818",
"modified": "2023-12-13T01:19:29.545383Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-22818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!forum/django-announce",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"name": "https://docs.djangoproject.com/en/4.0/releases/security/",
"refsource": "MISC",
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"name": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"name": "FEDORA-2022-e7fd530688",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220221-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"name": "DSA-5254",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5254"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.2,\u003c2.2.27||\u003e=3.2,\u003c3.2.12||\u003e=4.0,\u003c4.0.2",
"affected_versions": "All versions starting from 2.2 before 2.2.27, all versions starting from 3.2 before 3.2.12, all versions starting from 4.0 before 4.0.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2022-11-07",
"description": "The {% debug %} template tag in Django does not properly encode the current context. This may lead to XSS.",
"fixed_versions": [
"2.2.27",
"3.2.12",
"4.0.2"
],
"identifier": "CVE-2022-22818",
"identifiers": [
"CVE-2022-22818"
],
"not_impacted": "All versions before 2.2, all versions starting from 2.2.27 before 3.2, all versions starting from 3.2.12 before 4.0, all versions starting from 4.0.2",
"package_slug": "pypi/Django",
"pubdate": "2022-02-03",
"solution": "Upgrade to versions 2.2.27, 3.2.12, 4.0.2 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-22818",
"https://docs.djangoproject.com/en/4.0/releases/security/",
"https://www.djangoproject.com/weblog/2022/feb/01/security-releases/",
"https://groups.google.com/forum/#!forum/django-announce"
],
"uuid": "0f42d7e2-3f21-4f2d-b069-cd430ea4534b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.2.12",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.0.2",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.27",
"versionStartIncluding": "2.2",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-22818"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.djangoproject.com/en/4.0/releases/security/",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"name": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"name": "https://groups.google.com/forum/#!forum/django-announce",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"name": "FEDORA-2022-e7fd530688",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220221-0003/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"name": "DSA-5254",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5254"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-11-07T18:34Z",
"publishedDate": "2022-02-03T02:15Z"
}
}
}
FKIE_CVE-2022-22818
Vulnerability from fkie_nvd - Published: 2022-02-03 02:15 - Updated: 2024-11-21 06:47
Severity ?
Summary
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://docs.djangoproject.com/en/4.0/releases/security/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://groups.google.com/forum/#%21forum/django-announce | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/ | ||
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20220221-0003/ | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2022/dsa-5254 | Third Party Advisory | |
| cve@mitre.org | https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.djangoproject.com/en/4.0/releases/security/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/forum/#%21forum/django-announce | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220221-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5254 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | django | * | |
| djangoproject | django | * | |
| djangoproject | django | * | |
| fedoraproject | fedora | 35 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7324BB5-64C7-45F6-ADEB-E0929B4B00B6",
"versionEndExcluding": "2.2.27",
"versionStartIncluding": "2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D15BB946-FCF5-43FC-99EF-EBB2513CA2FB",
"versionEndExcluding": "3.2.12",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA09D497-21DD-410D-9692-A601B1EAA0B9",
"versionEndExcluding": "4.0.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."
},
{
"lang": "es",
"value": "La etiqueta de plantilla {% debug %} en Django versiones 2.2 anteriores a 2.2.27, 3.2 anteriores a 3.2.12 y 4.0 anteriores a 4.0.2, no codifica correctamente el contexto actual. Esto puede conllevar a un ataque de tipo XSS"
}
],
"id": "CVE-2022-22818",
"lastModified": "2024-11-21T06:47:30.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-03T02:15:07.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"source": "cve@mitre.org",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5254"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://docs.djangoproject.com/en/4.0/releases/security/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5254"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…